SonarQube is one of the most famous quality checkers.

Another good measure is the number of dependencies used: if too much, the quality might be poor (= poor maintainability).

Is the application vulnerable? Check OWASP for this.

In my experience Sonar optimization only gets you so far and especially does not discourage overly complex solutions.

But you'll at least know that there is some kind of testing, linting etc going on.